(19) 



J 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 





(12) 



(43) Date of publication: 

27.03.2002 Bulletin 2002/13 

(21) Application number: 01203098.7 

(22) Date of filing: 03.08.2001 



(H) EP 1 191 763 A2 

EUROPEAN PATENT APPLICATION 

(51) Intel/: H04L 29/06, H04L 12/28 



(84) Designated Contracting States: 


• Hancock, Robert 


AT BE CH CY DE DK ES Fl FR GB GR IE IT LI LU 


Bitterne Park, Southampton S018 1NW (GB) 


MC NLPT SE TR 


• May, John 


Designated Extension States: 


Chandlers Ford, Southampton S053 3PD (GB) 


AL LT LV MK RO SI 


• Hook, Michael 




Chandlers Ford, Southampton S053 4RU (GB) 


(30) Priority: 22.09.2000 GB 0023270 






(74) Representative: Neill, Andrew Peter et al 


(71) Applicant: ROKE MANOR RESEARCH LIMITED 


Siemens Shared Services Limited, 


Romsey, Hants S051 0ZN (GB) 


IPD, 




Siemens House, 


(72) Inventors: 


Oldbury 


• McCann, Stephen 


Bracknell, Berkshire RG12 8FZ (GB) 


Rownhams, Southampton S016 8DS (GB) 





(54) Access authentication system for a wireless environment 



(57) An access authentication system is provided 
for authenticating access for visitors to a wireless local 
area network (W-LAN), the operator of which adminis- 
ters a visitor authentication, authorisation and account- 
ing (VAAA) server. A user requesting visiting access to 
the W-LAN, is required to have a valid cellular mobile 
account, a portable computing device with a browser 
and a valid W-LAN card from another operator that ad- 
ministers a home authentication, authorisation and ac- 
counting (HAAA) server The user, on requesting visiting 
access to the W-LAN, inputs, via the VAAA server, iden- 
tity information that enables the HAAA to issue a per- 



sonal identification number (PIN) which is encoded and 
forwarded, preferably by way of a short message serv- 
ice (SMS), to the user's mobile telephone. This encoded 
PIN is transferred to the browser to authenticate the re- 
quested visiting access to the W-LAN, and the costs as- 
sociated with such access are billed to the user's cellular 
mobile account; the requested access being achieved 
via the user's browser. The user may employ the brows- 
er to convey the identity information, via the W-LAN, to 
the VAAA. Alternatively, the user may call the VAAA on 
the mobile telephone to provide said identity informa- 
tion, in which case, the subject telephone call is prefer- 
ably forwarded to the HAAA via a premium rate call unit. 



"telco-v" 
VAAA 




Fig.1 
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Description 

[0001] This invention relates to access authentication 
systems for Wireless Local Area Networks (W-LANs), 
and it relates especially to such systems as can cope 
with the problems of user-mobility between W-LANs. 
[0002] In W-LAN systems, it is often the case that a 
user, subscribing with one network operator (hereinafter 
called "the Home Operator" for that user), wishes to con- 
nect, as a "visitor", to one or more other W-LAN sites. 
The operator of the visited W-LAN site, however, needs 
to be convinced of the bona fides and credit worthiness 
of the visitor before permitting access to the W-LAN sys- 
tem and/or before supplying the visitor with certain serv- 
ices or information. Our previous patent application No. 
(GB0022604.3; Internal No. 2000P04883GB) envisag- 
es the visiting user basing its connection to the visited 
W-LAN, for charging and other operational purposes, on 
that user's subscription with its Home Operator. This ar- 
rangement permits a visiting user, once authenticated 
as a visitor with regard to a particular LAN, to revisit that 
LAN for as long as the appropriate user authentication 
with the Home Operator remains sound, without further 
user intervention. 

[0003] This represents a significant step forward in 
user convenience and is achieved by virtue of the oper- 
ator of each W-LAN administering home (H) network 
and Visitor (V) network authentication, authorisation 
and accounting (AAA) servers, which communicate with 
one another regarding the subscriber's identity and oth- 
er relevant operational/charging criteria. Thus, the 
VAAA automatically communicates with the HAAA to 
derive the necessary authorisation and to organise the 
necessary charging, etc. 

[0004] In general, however, the authentication of a 
new (unknown) user wishing to connect to a W-LAN sys- 
tem is difficult and requires the use of a third party or 
some direct physical communication. Even activation of 
a new feature of an existing subscription may require 
contact with the customer care department of an oper- 
ator, which is an expensive and error-prone procedure. 
However such authentication is achieved, it ultimately 
becomes a question of trust, which limits current public 
space W-LAN operations to providing open access only. 
[0005] This invention aims to reduce the problems of 
authentication, thus permitting a wider range of services 
to be provided to users, including visiting users, without 
compromising either the security of the networks or the 
ability of the network operators to ensure that they re- 
ceive due payment for their services. 
[0006] According to the invention there is provided an 
access authentication system for authenticating access 
to a first wireless local area network (W-LAN), the oper- 
ator of which administers a visitor authentication, au- 
thorisation and accounting (VAAA) server, wherein a us- 
er requesting visiting access to the first W-LAN, and 
having a valid cellular mobile account, a portable com- 
puting device with a browser and a registration with a 



second W-LAN operator that administers a home au- 
thentication, authorisation and accounting (HAAA) serv- 
er, conveys to the VAAA server, by user intervention, 
identity information sufficient to enable said VAAA serv- 

5 er to communicate with said HAAA server so as to au- 
thenticate the proposed connection; said HAAA issuing 
a personal identification number (PIN) which is encoded 
and forwarded to the user's mobile telephone and trans- 
ferred to the browser to authenticate the requested vis- 

10 iting access to the W-LAN; the cost of such access being 
billed to the user's cellular mobile account and the re- 
quested access being achieved via the user's browser. 
[0007] By this means, the existence of the user's mo- 
bile cellular account is used by the system to provide 

15 the necessary verification of the user's identity thus en- 
couraging the W-LAN operator to provide, for example, 
extra secure services to that user. The SIM card that the 
mobile user must carry to operate the cellular mobile in- 
strument thus acts as a certificate of trust between the 

20 mobile user and the network operator. Successful re- 
ceipt by the user of a short message via the GSM or 
other short message service (SMS) addressed to the 
SIM is utilised to prove ownership of the SIM card, and 
hence identity of the user, without requiring a third party 

25 or manual intervention by the operator. 

[0008] Preferably, the transfer of the PIN to the brows- 
er is effected manually by the user. Alternatively, how- 
ever, it may be achieved automatically by means of soft- 
ware on the portable computer if this is connected to the 

30 mobile telephone. Such transfer can be effected re- 
motely, for example by infra-red or Bluetooth, or directly 
by means of a cable connection. 
[0009] Preferably, the PIN issued by the HAAA is en- 
coded and forwarded to the user's mobile telephone by 

35 means of an SMS centre. 

[0010] Preferably, in accordance with one aspect of 
the invention, the user employs the browser to convey 
said identity information (which may include or consist 
solely of a telephone number), via the first W-LAN, to 

40 the VAAA. This enables the user to set up a desired 
W-LAN log-on identity, and for this to be incorporated, 
together with the user's cellular telephone number, into 
the PIN. Preferably also, the PIN is combined with mask- 
ing information, and it is further preferred that the mask- 

45 jng information is randomly derived. 

[0011] Preferably, in accordance with a second as- 
pect of the invention, the user calls the VAAA on the mo- 
bile telephone to provide said identity information. In this 
case, the subject telephone call may be routed to the 

50 HAAA through a premium rate call unit. 

[0012] In order that the invention may be clearly un- 
derstood and readily carried into effect, certain embod- 
iments thereof will now be described, by way of example 
only, with reference to the accompanying drawings, of 

55 which: 

Figure 1 shows, in schematic form, the operation of 
a system in accordance with one embodiment of the 
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invention; and 

Figure 2 shows, in similar form, the operation of a 
system in accordance with a second embodiment 
of the invention. 

[001 3] Referring now to Figure 1 , there is shown sche- 
matically the operation of a system in accordance with 
one example of the invention; it being assumed at the 
outset that a visiting user wishing to connect to a W-LAN 
has a valid cellular mobile account, a portable device, 
such as a WAP telephone or a UMTS terminal, with ap- 
propriate computing capability, having a suitable W-LAN 
interface and HTTP-compliant browser. 
[0014] Upon entering the W-LAN, indicated generally 
at 1, an introductory web page 2 is displayed on the 
browser of the portable device. This page 2 requests (at 
3) insertion of a desired W-LAN identity, selected by the 
user, together with that of the home network operator 
(telco-h) with whom that user subscribes, and (at 4) the 
user's cellular telephone number. Instead of the user's 
cellular number, any other information sufficient to iden- 
tify the user's cell phone account could be used. 
[0015] The entered information is combined with a 
randomly derived masking data string and sent across 
the W-LAN to a local service selection gateway (SSG) 
5 using a secure communication protocol, such as may 
be incorporated into the browser of the portable device. 
[0016] The SSG 5 forwards the transmitted informa- 
tion to the local visitor AAA unit 6 owned by the operator, 
"telco-v" of the visited W-LAN, and thence to a telepho- 
ny/Internet gateway 7 which utilises the information it 
receives to identify the mobile user's home AAA and 
sends the information to the home AAA, 8, which is op- 
erated of course by the user's home network operator, 
telco-h. 

[0017] Telco-h establishes a W-LAN account for the 
user, which account is billed to the user's existing cellu- 
lar account, although the subject charges are preferably 
made the subject of a separate entry list under the ac- 
count so that they can be readily identified. In addition, 
at this stage, the home AAA, 8, generates a PIN, which 
is then encoded with the original masking data string 
and passed to a local short message service centre 
(SMSC), 9. The cellular mobile system then relays the 
message to the appropriate location, where it is received 
at the handset 10 of the mobile user, who manually 
transfers the encoded string from the message into the 
portable device, thus validating the W-LAN account cre- 
ation process. Alternatively, the encoded string may be 
transferred automatically subject to the provision of a 
suitable data connection. 

[0018] The above transaction can alternatively be 
achieved, if desired, by means including an infra-red 
(IR) link, short range wireless access device or by 
means of an extended cellular receiver unit embedded 
within the mobile user's portable device. 
[0019] It is to be noted that the mobile user does not 
need to know individually the masking string and the PIN 



allocated by telco-h, only their combination. 
[0020] If necessary, access for the mobile user to all 
or selected services on the visited W-LAN may be 
barred once the true identity of the home AAA 8 has 
5 been identified if, for example, it turns out to be a hostile 
regime, to be a bogus entry or to have a zero credit rat- 
ing. 

[0021] The operation of an alternative system, in ac- 
cordance with a second embodiment of the invention, 

10 will now be described with reference to Figure 2. 

[0022] In this alternative system, a registration 
number is freely given to the visiting mobile user at entry 
to the W-LAN. The registration number may, for exam- 
ple, be displayed on a poster or a screen, or contained 

15 on a freely distributed leaflet or in a web page set up to 
act as a default page for unregistered users of the 
W-LAN. 

[0023] The user's cellular mobile device is employed 
to contact a premium rate service and then enter the 

20 (public) registration number, which will then register the 
user with the W-LAN in a similar manner to that de- 
scribed above with respect to Figure 1 . Once the call is 
completed, the mobile user receives an SMS message, 
as described above, so completing the authentication 

25 process. In this case, the content of the message may 
be time-stamped and linked to the local access point 
and user identity, to prevent re-use or sharing of access. 
[0024] Referring now specifically to Figure 2, in which 
components identical with or functionally equivalent to 

30 those shown in Figure 1 carry the same reference num- 
bers, the user rings a premium rate number, using the 
mobile device 10, entering the public registration 
number to register with the W-LAN. The local visitor 
AAA, 6, routes this call to a premium rate call unit 11 

35 which then sends the information to the home AAA, 8. 
The operator telco-h which owns this home AAA then 
establishes a W-LAN account for the user, billed, as be- 
fore, to the existing cellular account for the mobile de- 
vice 10. 

40 [0025] A PIN is generated from this initialisation which 
is then encoded with the registration number sent from 
the user and passed to the local SMSC, 9. The cellular 
mobile system then relays the message to the appropri- 
ate location, where it is received by the mobile user on 

45 the handset, 10. 

[0026] The user is then required to manually transfer 
the encoded data string (i.e. the string comprising the 
PIN encoded with the registration number) into the port- 
able device with computing capability, thereby validating 

so the WLAN account creation process. 

As before, this transaction can alternatively be achieved 
by means of an infra-red link, short range wireless ac- 
cess or an embedded cellular receiver unit inside the 
mobile user's portable device. 

55 [0027] The web page is used to provide the data string 
to the LAN, to authenticate the access and then start 
encryption since it can then easily be user-specific, with- 
out the user needing to provide, for example, a MAC 
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address. 

[0028] It will be appreciated that the system of Figure 
2 is purely telephony network based. Advantageously, 
the network operator (telco-v) does not need to have 
web-based forms up and running to operate the system 
of Figure 2. Moreover, the system of Figure 2 generates 
revenue (or prepayment revenue) via the premium ac- 
cess phone call, thus decoupling billing functionality 
from the W-LAN itself. This revenue can be automati- 
cally shared between the premium rate service provider 
and the W-LAN operator. 

[0029] Although the invention has been described 
with regard to particular embodiments thereof, it is not 
intended that the scope of the claims of this application 
be limited to those embodiments, and alternative ar- 
rangements will be evident in many respects to those 
skilled in the art. 



Claims 

1 . An access authentication system for authenticating 
access to a first wireless local area network 
(W-LAN), the operator of which administers a visitor 
authentication, authorisation and accounting 
(VAAA) server, wherein a user requesting visiting 
access to the first W-LAN, and having a valid cellu- 
lar mobile account, a portable computing device 
with a browser and a registration with a second 
W-LAN operator that administers a home authenti- 
cation, authorisation and accounting (HAAA) serv- 
er, conveys to the VAAA server, by user interven- 
tion, identity information sufficient to enable said 
VAAA server to communicate with said HAAA serv- 
er so as to authenticate the proposed connection; 
said HAAA issuing a personal identification number 
(PIN) which is encoded and forwarded to the user's 
mobile telephone and transferred to the browser to 
authenticate the requested visiting access to the 
W-LAN; the cost of such access being billed to the 
user's cellular mobile account and the requested 
access being achieved via the user's browser. 

2. A system according to Claim 1 wherein the transfer 
of the PIN to the browser is effected manually by 
the user. 



5. A system according to any preceding claim, where- 
in the user employs the browser to convey said 
identity information, via the first W-LAN, to the 
VAAA. 

5 

6. A system according to any preceding claim wherein 
the PIN is combined with masking information. 

7. A system according to Claim 6 wherein said mask- 
10 ing information is randomly derived. 

8. A system according to any of claims 1 to 4 inclusive, 
wherein the user calls the VAAA on the mobile tel- 
ephone. 

15 

9. A system according to Claim 8 wherein the tele- 
phone call from said user is routed to the HAAA 
through a premium rate call unit. 

20 10. An access authentication system substantially as 
herein described with reference to and/or as shown 
in the accompanying drawings. 



3. A system according to Claim 1 wherein the portable 
computing device is coupled to the mobile tele- 
phone and the transfer of the PIN to the browser is 50 
effected automatically by means including software 
supported by the portable computing device. 



4. A system according any preceding claim, wherein 
the PIN issued by the HAAA is encoded and for- 55 
warded to the user's mobile telephone by means of 
a short message service centre. 
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